Can Atlassian Access use an alternate email address?

James Frank March 25, 2019

We are part of a family of organizations that all share the same domain name for email addresses. Let's say we have a domain example.com and Company 1's users are john.doe@example.com but Company 2's users are also jane.doe@example.com.

If we are Company 2 and we use Atlassian Access the way the documentation is written we will have to claim example.com as our domain. This will involve all Atlassian accounts for Company 1 and Company 2 becoming managed users for us. (I have verified this with Atlassian billing support. They say that we would have Company 1 users as billable accounts if they had access to any managed product, not just those belonging to Company 2's Atlassian account.)

I can potentially get all our users to have an alternate email address on their Active Directory accounts so they would be jane.doe@example.com and jane.doe@example2.com. I could then claim example2.com as our domain. But can Atlassian Access (with Okta) support passing along the email address to the identity provider as an alternate email address and have the logging in still work?

1 answer

1 accepted

0 votes
Answer accepted
Dave Meyer
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
March 26, 2019

Hi James,

Unfortunately as best I can tell, this doesn't work. Okta does not allow users to authenticate with the secondary email. So if the user attempted to log in to with Atlassian with jane.doe@example2.com and you had verified the example2.com domain, it would certainly be redirected to Okta. However, the user would only be able to log in to Okta with their jane.doe@example.com, which is what Okta would send back to Atlassian and the SAML assertion would fail, since jane.doe@example.com would not match any user in Atlassian.

We are definitely aware that there are cases where several companies share the same domain and that the domain-based implementation of SAML that Atlassian Access usage is a problem in this situation. We'll be looking at how we can resolve this in the future.

Regards,

Dave Meyer

Atlassian Access Product Management

James Frank March 27, 2019

Thanks, @Dave Meyer. We're fiddling with Okta to see if there's any way we can make it support what you're describing. But for now I'll assume it's not possible.

James Frank March 29, 2019

Hi @Dave Meyer, after talking with our Okta people it looks like this should actually be possible. They said that as long as we can get our users to have two valid emails (jane.doe@example.com and jane.doe@example2.com) then they can support it.

Basically we would register example2.com with Atlassian and make all our users update their email addresses to that (unfortunately it seems there is no bulk way to do this). Then we would turn on Atlassian Access for example2.com. 

In the Okta configuration for the Atlasisan connection they would enable a simple rewrite so that when sending back the email address of the authenticated user to Atlassian it will change it from jane.doe@example.com (their _actual_ username) to jane.doe@example2.com (what Atlassian thinks the username is). Then because they can receive email at example2.com the notifications would also continue to work.

We're going to give it a try and I will report back in a couple of months.

Dave Meyer
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
March 29, 2019

Hey James,

We actually do provide an API for you, as an admin, to update users' email addresses in your organization:

In the Okta configuration for the Atlasisan connection they would enable a simple rewrite so that when sending back the email address of the authenticated user to Atlassian it will change it from jane.doe@example.com (their _actual_ username) to jane.doe@example2.com (what Atlassian thinks the username is).

I didn't know this was possible. That's great to hear! 

The only caveat here is that if users log in to Atlassian directly (rather than via the Okta dashboard) I think they will need to know to enter their @example2.com email address on the Atlassian account login screen.

James Frank March 31, 2019

Yeah, the support rep mentioned that. Problem is that to use it we would have to claim example.com in order to be able to leverage the organizations API in order to change their email addresses to example2.com. And claiming example.com is part of the problem in the first place!

Suggest an answer

Log in or Sign up to answer
TAGS
AUG Leaders

Atlassian Community Events